WEBVTT

1
00:00:00.000 --> 00:00:01.680
In this section of the course,

2
00:00:01.680 --> 00:00:05.100
we are going to discuss threat modeling considerations.

3
00:00:05.100 --> 00:00:08.010
The threat modeling consideration section of the course

4
00:00:08.010 --> 00:00:11.790
focuses on "Domain 1: Governance, Risk, and Compliance,"

5
00:00:11.790 --> 00:00:14.940
as well as "Domain 3: Security Engineering,"

6
00:00:14.940 --> 00:00:18.690
specifically, objectives 1.4 and 3.2.

7
00:00:18.690 --> 00:00:21.900
Objective 1.4 states that, given a scenario,

8
00:00:21.900 --> 00:00:25.200
you must be able to perform threat modeling activities.

9
00:00:25.200 --> 00:00:28.290
Objective 3.2 states that, given a scenario,

10
00:00:28.290 --> 00:00:30.570
you must be able to analyze requirements

11
00:00:30.570 --> 00:00:33.570
to enhance the security of endpoints and servers.

12
00:00:33.570 --> 00:00:36.810
Threat modeling is the process of identifying and evaluating

13
00:00:36.810 --> 00:00:39.210
potential threats to your organization.

14
00:00:39.210 --> 00:00:41.160
When assessing potential threats,

15
00:00:41.160 --> 00:00:42.840
it's important to understand

16
00:00:42.840 --> 00:00:45.600
not only who might target your organization,

17
00:00:45.600 --> 00:00:47.730
but also why they might do so.

18
00:00:47.730 --> 00:00:49.770
Different attackers have varying levels

19
00:00:49.770 --> 00:00:52.800
of resources, skills, and motivations,

20
00:00:52.800 --> 00:00:56.160
each of which influence the strategies and tools they use.

21
00:00:56.160 --> 00:00:57.960
By analyzing these factors,

22
00:00:57.960 --> 00:01:00.780
you can anticipate how an attack might occur

23
00:01:00.780 --> 00:01:03.300
and prepare defenses to respond to it.

24
00:01:03.300 --> 00:01:04.800
As we go through this section,

25
00:01:04.800 --> 00:01:06.210
we'll cover many topics

26
00:01:06.210 --> 00:01:08.550
related to threat modeling considerations,

27
00:01:08.550 --> 00:01:11.010
including threat actor motivation,

28
00:01:11.010 --> 00:01:14.370
threat actor resources, threat actor capabilities,

29
00:01:14.370 --> 00:01:17.280
attack patterns, threat actor methods,

30
00:01:17.280 --> 00:01:19.680
initial access and escalation methods,

31
00:01:19.680 --> 00:01:23.190
and post-exploitation and evasion methods.

32
00:01:23.190 --> 00:01:26.220
First, we will look at threat actor motivation.

33
00:01:26.220 --> 00:01:29.850
Threat actor motivations are the underlying reasons or goals

34
00:01:29.850 --> 00:01:31.800
that drive an attacker to target

35
00:01:31.800 --> 00:01:34.140
a specific organization or system.

36
00:01:34.140 --> 00:01:37.350
Threat actor motivations include geopolitical,

37
00:01:37.350 --> 00:01:42.350
espionage, financial, activism, and notoriety factors.

38
00:01:42.450 --> 00:01:46.470
Geopolitical motivations often involve nation state actors

39
00:01:46.470 --> 00:01:48.480
seeking to disrupt or influence

40
00:01:48.480 --> 00:01:51.660
another country's political or economic stability.

41
00:01:51.660 --> 00:01:53.880
Espionage is driven by the desire

42
00:01:53.880 --> 00:01:55.710
to steal sensitive information

43
00:01:55.710 --> 00:01:59.370
such as intellectual property or state secrets.

44
00:01:59.370 --> 00:02:02.760
Financially-motivated attackers seek monetary gain

45
00:02:02.760 --> 00:02:03.960
usually through activities

46
00:02:03.960 --> 00:02:06.480
like ransomware attacks or fraud.

47
00:02:06.480 --> 00:02:09.300
Activists, often known as hacktivists,

48
00:02:09.300 --> 00:02:11.940
aim to promote a political or social cause

49
00:02:11.940 --> 00:02:15.120
by disrupting services or leaking information.

50
00:02:15.120 --> 00:02:16.800
And notoriety-driven attackers,

51
00:02:16.800 --> 00:02:18.420
including thrill seekers

52
00:02:18.420 --> 00:02:20.790
or those seeking to build a reputation,

53
00:02:20.790 --> 00:02:22.860
may target high-profile systems

54
00:02:22.860 --> 00:02:25.650
to gain recognition or bragging rights.

55
00:02:25.650 --> 00:02:28.650
In comparison, a financially-motivated attacker

56
00:02:28.650 --> 00:02:30.090
might deploy ransomware

57
00:02:30.090 --> 00:02:32.370
to extort money from an organization,

58
00:02:32.370 --> 00:02:34.200
while a politically-motivated attacker

59
00:02:34.200 --> 00:02:37.980
might launch a cyberattack to destabilize a rival nation

60
00:02:37.980 --> 00:02:40.260
during a time of political tension.

61
00:02:40.260 --> 00:02:43.590
Next we will explore threat actor resources.

62
00:02:43.590 --> 00:02:45.570
Threat actor resources are the assets

63
00:02:45.570 --> 00:02:47.370
that an attacker has available

64
00:02:47.370 --> 00:02:50.610
to plan, execute, and sustain an attack.

65
00:02:50.610 --> 00:02:54.330
Threat actor characteristics include resource considerations

66
00:02:54.330 --> 00:02:56.130
such as time and money.

67
00:02:56.130 --> 00:02:58.140
Time is a critical resource.

68
00:02:58.140 --> 00:03:00.930
Well-funded threat actors like nation state actors

69
00:03:00.930 --> 00:03:02.820
may have the luxury to conduct

70
00:03:02.820 --> 00:03:05.340
prolonged sophisticated campaigns,

71
00:03:05.340 --> 00:03:08.550
allowing them to meticulously plan and execute their attacks

72
00:03:08.550 --> 00:03:10.830
over months or even years.

73
00:03:10.830 --> 00:03:13.740
Money enables attackers to purchase advanced tools,

74
00:03:13.740 --> 00:03:17.580
higher-skilled personnel or even acquire zero-day exploits.

75
00:03:17.580 --> 00:03:20.520
In this way, money significantly increases

76
00:03:20.520 --> 00:03:23.820
the sophistication and potential impact of operations.

77
00:03:23.820 --> 00:03:26.730
For example, a financially-backed threat actor

78
00:03:26.730 --> 00:03:30.210
might spend significant resources to buy high-end malware

79
00:03:30.210 --> 00:03:31.950
or bribe insiders,

80
00:03:31.950 --> 00:03:34.200
while a less resourced attacker might rely

81
00:03:34.200 --> 00:03:38.730
on publicly available tools and quick opportunistic attacks.

82
00:03:38.730 --> 00:03:41.910
After that, we will look at threat actor capabilities.

83
00:03:41.910 --> 00:03:45.120
Threat actor capabilities are the skills, tools,

84
00:03:45.120 --> 00:03:47.670
and expertise that attackers possess

85
00:03:47.670 --> 00:03:51.450
to identify and exploit vulnerabilities in a target system.

86
00:03:51.450 --> 00:03:53.880
Threat actor characteristics include capabilities

87
00:03:53.880 --> 00:03:58.140
such as knowledge, vulnerability creation, exploit creation,

88
00:03:58.140 --> 00:03:59.970
and supply chain access.

89
00:03:59.970 --> 00:04:02.370
Threat actor knowledge encompasses an understanding

90
00:04:02.370 --> 00:04:04.890
of a target's systems and defenses.

91
00:04:04.890 --> 00:04:08.520
Knowledge, usually through enumeration or inside sources,

92
00:04:08.520 --> 00:04:11.880
enables attackers to effectively identify vulnerabilities

93
00:04:11.880 --> 00:04:13.590
and exploit weaknesses.

94
00:04:13.590 --> 00:04:16.650
Next, vulnerability creation involves the ability

95
00:04:16.650 --> 00:04:19.470
to introduce new vulnerabilities within a system.

96
00:04:19.470 --> 00:04:21.420
Exploit creation, on the other hand,

97
00:04:21.420 --> 00:04:23.970
refers to the development of tools or methods

98
00:04:23.970 --> 00:04:26.970
to take advantage of identified vulnerabilities.

99
00:04:26.970 --> 00:04:29.220
Finally, supply chain access

100
00:04:29.220 --> 00:04:32.790
represents an advanced capability where attackers infiltrate

101
00:04:32.790 --> 00:04:35.400
third-party vendors or service providers

102
00:04:35.400 --> 00:04:38.010
to compromise the target indirectly.

103
00:04:38.010 --> 00:04:40.500
Next, we will explore attack patterns.

104
00:04:40.500 --> 00:04:42.930
Attack patterns are tactics and techniques

105
00:04:42.930 --> 00:04:44.100
that threat actors use

106
00:04:44.100 --> 00:04:46.440
to exploit vulnerabilities in a system.

107
00:04:46.440 --> 00:04:47.550
In threat modeling,

108
00:04:47.550 --> 00:04:50.700
attack patterns may be modeled to include injection,

109
00:04:50.700 --> 00:04:52.800
authentication and authorization,

110
00:04:52.800 --> 00:04:54.900
and on-path attacks.

111
00:04:54.900 --> 00:04:56.580
Injection attacks involve

112
00:04:56.580 --> 00:04:59.850
inserting malicious code or commands into a system

113
00:04:59.850 --> 00:05:01.770
through vulnerable input points.

114
00:05:01.770 --> 00:05:05.190
Modeled injection attacks include SQL injection

115
00:05:05.190 --> 00:05:06.930
into a web application

116
00:05:06.930 --> 00:05:09.990
with the goal of manipulating the system's behavior.

117
00:05:09.990 --> 00:05:12.300
Authentication and authorization attacks

118
00:05:12.300 --> 00:05:15.270
target the mechanisms that control user access.

119
00:05:15.270 --> 00:05:17.190
Authentication and authorization attacks

120
00:05:17.190 --> 00:05:19.770
include brute force attacks on passwords

121
00:05:19.770 --> 00:05:23.010
or exploiting flaws in access control lists

122
00:05:23.010 --> 00:05:24.900
to gain unauthorized entry.

123
00:05:24.900 --> 00:05:27.060
On-path attacks, formerly known

124
00:05:27.060 --> 00:05:28.770
as man-in-the-middle attacks,

125
00:05:28.770 --> 00:05:30.690
occur when an attacker intercepts

126
00:05:30.690 --> 00:05:34.560
and potentially alters communications between two parties.

127
00:05:34.560 --> 00:05:37.620
On-path attacks aim to steal sensitive information

128
00:05:37.620 --> 00:05:39.870
or inject malicious content.

129
00:05:39.870 --> 00:05:42.720
In application, a modeled threat attacker

130
00:05:42.720 --> 00:05:46.380
could use an injection attack to compromise a database,

131
00:05:46.380 --> 00:05:49.080
then exploit weak authentication controls

132
00:05:49.080 --> 00:05:50.760
to escalate privileges,

133
00:05:50.760 --> 00:05:53.790
and finally execute an on-path attack

134
00:05:53.790 --> 00:05:56.310
to intercept and manipulate network traffic,

135
00:05:56.310 --> 00:05:59.730
demonstrating how multiple attack patterns can be combined

136
00:05:59.730 --> 00:06:01.710
to achieve a broader objective.

137
00:06:01.710 --> 00:06:05.010
Following that, we will look at threat actor methods.

138
00:06:05.010 --> 00:06:08.250
Threat actor methods are specific strategies and approaches

139
00:06:08.250 --> 00:06:10.590
attackers use to compromise systems

140
00:06:10.590 --> 00:06:12.930
to achieve their actions on objectives.

141
00:06:12.930 --> 00:06:16.800
Threat actor methods include abuse cases, anti-patterns,

142
00:06:16.800 --> 00:06:18.900
and attack trees or graphs.

143
00:06:18.900 --> 00:06:20.400
Abuse cases are scenarios

144
00:06:20.400 --> 00:06:22.410
where legitimate features of a system

145
00:06:22.410 --> 00:06:26.100
are misused or exploited by attackers to cause harm.

146
00:06:26.100 --> 00:06:27.840
An example of an abuse case

147
00:06:27.840 --> 00:06:30.210
is using password reset functionalities

148
00:06:30.210 --> 00:06:31.770
to hijack an account.

149
00:06:31.770 --> 00:06:35.400
Next, anti-patterns are common practices or solutions

150
00:06:35.400 --> 00:06:38.070
that, while initially appearing effective,

151
00:06:38.070 --> 00:06:40.920
actually create vulnerabilities or security risks.

152
00:06:40.920 --> 00:06:42.630
An example of an anti-pattern

153
00:06:42.630 --> 00:06:46.650
is using Base64 encoding to obfuscate sensitive information.

154
00:06:46.650 --> 00:06:50.670
This is because Base64 encoding simply changes the format

155
00:06:50.670 --> 00:06:52.080
of the sensitive data.

156
00:06:52.080 --> 00:06:54.330
It does not protect it in any way.

157
00:06:54.330 --> 00:06:56.670
Finally, attack trees or graphs

158
00:06:56.670 --> 00:06:59.190
are visual vulnerability representations

159
00:06:59.190 --> 00:07:02.370
that map out the various paths an attacker might take

160
00:07:02.370 --> 00:07:04.380
to achieve a specific goal.

161
00:07:04.380 --> 00:07:06.660
Attack trees and graphs may illustrate

162
00:07:06.660 --> 00:07:08.910
potential entry points, methods,

163
00:07:08.910 --> 00:07:11.910
and escalation steps involved in an attack.

164
00:07:11.910 --> 00:07:16.170
Then we will explore initial access and escalation methods.

165
00:07:16.170 --> 00:07:18.150
Initial access and escalation methods

166
00:07:18.150 --> 00:07:20.160
are the techniques attackers use

167
00:07:20.160 --> 00:07:22.500
to first gain entry into a system

168
00:07:22.500 --> 00:07:24.570
and then elevate their privileges

169
00:07:24.570 --> 00:07:26.670
to gain broader network control.

170
00:07:26.670 --> 00:07:28.710
Initial access and escalation methods

171
00:07:28.710 --> 00:07:32.970
include threat actor tactics, techniques, and procedures

172
00:07:32.970 --> 00:07:35.580
such as injections, credential dumping,

173
00:07:35.580 --> 00:07:37.320
and privilege escalation.

174
00:07:37.320 --> 00:07:41.190
Injections, such as SQL injection or command injection,

175
00:07:41.190 --> 00:07:43.410
are common methods attackers use

176
00:07:43.410 --> 00:07:45.990
to insert malicious code into a system

177
00:07:45.990 --> 00:07:47.700
to gain initial access.

178
00:07:47.700 --> 00:07:49.860
Credential dumping involves extracting

179
00:07:49.860 --> 00:07:51.810
stored usernames and passwords

180
00:07:51.810 --> 00:07:53.580
from compromised systems.

181
00:07:53.580 --> 00:07:55.620
Stolen credentials can then be used

182
00:07:55.620 --> 00:07:57.690
to authenticate as legitimate users

183
00:07:57.690 --> 00:07:59.970
and further compromise the network.

184
00:07:59.970 --> 00:08:03.060
Privilege escalation is the process by which an attacker,

185
00:08:03.060 --> 00:08:05.100
having gained initial access,

186
00:08:05.100 --> 00:08:08.100
exploits vulnerabilities or misconfigurations

187
00:08:08.100 --> 00:08:10.230
to increase their access rights.

188
00:08:10.230 --> 00:08:12.300
Privilege escalation allows attackers

189
00:08:12.300 --> 00:08:16.440
to perform unauthorized actions at a higher security level

190
00:08:16.440 --> 00:08:18.780
than their initial exploit provided.

191
00:08:18.780 --> 00:08:22.380
For example, an attacker might use an SQL injection

192
00:08:22.380 --> 00:08:24.930
to gain access to a web application,

193
00:08:24.930 --> 00:08:28.680
then perform credential dumping to retrieve admin passwords,

194
00:08:28.680 --> 00:08:32.250
and finally exploit a privilege escalation vulnerability

195
00:08:32.250 --> 00:08:34.650
to gain full control over the server.

196
00:08:34.650 --> 00:08:37.350
Finally, we will look at post-exploitation

197
00:08:37.350 --> 00:08:38.700
and evasion methods.

198
00:08:38.700 --> 00:08:42.030
Post-exploitation and evasion methods in threat modeling

199
00:08:42.030 --> 00:08:44.160
refer to the techniques attackers use

200
00:08:44.160 --> 00:08:46.080
after gaining initial access

201
00:08:46.080 --> 00:08:49.770
to maintain control, expand their reach within the system,

202
00:08:49.770 --> 00:08:51.420
and avoid detection.

203
00:08:51.420 --> 00:08:53.400
Post-exploitation and evasion methods

204
00:08:53.400 --> 00:08:57.030
include threat actor tactics, techniques, and procedures

205
00:08:57.030 --> 00:09:00.900
such as lateral movement, unauthorized execution,

206
00:09:00.900 --> 00:09:03.090
and defensive evasion.

207
00:09:03.090 --> 00:09:04.920
Lateral movement involves the attacker

208
00:09:04.920 --> 00:09:06.930
navigating through the network,

209
00:09:06.930 --> 00:09:09.690
often by compromising additional systems

210
00:09:09.690 --> 00:09:13.260
to gain access to more valuable assets or data.

211
00:09:13.260 --> 00:09:16.020
Unauthorized execution refers to an attacker

212
00:09:16.020 --> 00:09:19.950
running malicious code or commands on compromised systems,

213
00:09:19.950 --> 00:09:23.850
usually to conduct data exfiltration or system disruption.

214
00:09:23.850 --> 00:09:27.000
Defensive evasion encompasses attacker tactics

215
00:09:27.000 --> 00:09:31.950
to avoid detection by security tools and analysts.

216
00:09:31.950 --> 00:09:34.200
Defensive evasion tactics include

217
00:09:34.200 --> 00:09:37.920
disabling security software, hiding malicious processes,

218
00:09:37.920 --> 00:09:40.410
or using encrypted communication channels.

219
00:09:40.410 --> 00:09:43.650
In practice, an attacker might use lateral movement

220
00:09:43.650 --> 00:09:45.660
to access a critical database,

221
00:09:45.660 --> 00:09:49.230
execute unauthorized scripts to extract sensitive data,

222
00:09:49.230 --> 00:09:51.510
and employ defensive evasion techniques

223
00:09:51.510 --> 00:09:54.510
like wiping logs and disabling security alerts

224
00:09:54.510 --> 00:09:57.270
to remain undetected during the operation.

225
00:09:57.270 --> 00:09:59.790
To finish things off, we'll take a short quiz

226
00:09:59.790 --> 00:10:02.460
to see what you learned during this section of the course,

227
00:10:02.460 --> 00:10:05.760
and we will review each of those quiz questions fully

228
00:10:05.760 --> 00:10:08.610
to ensure you can explain why the right answers were right

229
00:10:08.610 --> 00:10:10.230
and the wrong answers were wrong.

230
00:10:10.230 --> 00:10:12.060
So let's get ready to dive

231
00:10:12.060 --> 00:10:13.920
into threat modeling considerations

232
00:10:13.920 --> 00:10:15.903
in this section of the course.